Guests:

• Kelli Vanderlee, Senior Manager, Threat Analysis, Mandiant, Google Cloud
• Scott Runnels, Mandiant Incident Response, Google Cloud

Topics:

• Do we need to rethink "Mean Time to Respond" entirely, or are we just in deep trouble?
• Why are threat groups collaborating so well, and are there actual lessons for defenders in their "business" model?
• What is the scalable advice for teams worried about voice phishing and GenAI cloning?
• What does "weaponizing the administrative fabric" actually mean in a world where identity is the perimeter?
• Why is identity/SaaS compromise "news" in 2026 when cloud security folks have been shouting about it for years? What actually changed?
• What's the latest in supply chain compromise, particularly regarding malicious open-source packages?
• How do we defend against malware that is "lazy" enough to use the victim's own AI tools for reconnaissance?
• What is the specific advice for Detection and Response (D&R) teams to handle "living off the land" (or "living off the cloud")?
• How do you fix the situation when IT and Security departments genuinely hate each other?
• Besides reading the report, what is the one book or piece of advice for a CISO to survive this year?

Resources:

• Video version
• M-Trends 2026 Report
• EP222 From Post-IR Lessons to Proactive Security: Deconstructing Mandiant M-Trends
• EP254 Escaping 1990s Vulnerability Management: From Unauthenticated Scans to AI-Driven Mitigation
• EP205 Cybersecurity Forecast 2025: Beyond the Hype and into the Reality
• EP147 Special: 2024 Security Forecast Report
• "The Evolution of Cooperation" book

Guest:

• Raffael Marty, Operating Advisor, a SIEM legend since 1999

Topics:

• You argue that declaring existing SIEM being obsolete is a "marketing slogan" rather than a true thesis. What is the real pain point and the actual gap in traditional SIEMs as opposed to the more sensational claims?
• You highlight that "correlation, state, timelines, and real-time detection require locality," making centralization a necessary trade-off. Can a truly federated or decoupled SIEM architecture achieve the same fidelity and real-time performance for complex, stateful detections as a centralized one?
• You call the rise of independent security data pipelines the "SIEM Trojan Horse." How quickly is this abstraction layer turning SIEM into a "swappable" component, and what should SIEM vendors have done differently years ago to prevent this market from existing?
• This "AI SOC" thing, is this even real? Is AI in a SOC a better label? Do you think major SIEM vendors will own this very soon, like they did with UEBA and SOAR?
• If volume-based pricing is flawed because it penalizes good security hygiene, what is a better SIEM pricing model that fairly addresses compute, enrichment, and retention costs without just shifting the volume cost to unpredictable query charges?
• You question the idea that startups can find a better way to release detection rules than large vendors with significant content teams. What metrics should security leaders use to evaluate the quality of a vendor's detection engineering (DE) output beyond just coverage numbers? Can AI fix DE?

Resources:

• Video version
• The SIEM Maturity Framework: A Practical Scoring Tool for Security Analytics Platforms and raffy.ch/SIEM/
• The Gaps That Created the New Wave of SIEM and AI SOC Vendors
• How AI Impacts the Cyber Market and The Future of SIEM
• Why Venture Capital Is Betting Against Traditional SIEMs
• EP236 Accelerated SIEM Journey: A SOC Leader's Playbook for Modernization and AI
• EP234 The SIEM Paradox: Logs, Lies, and Failing to Detect
• EP125 Will SIEM Ever Die: SIEM Lessons from the Past for the Future
• Decoupled SIEM: Brilliant or Stupid?
• Decoupled SIEM: Where I Think We Are Now?

Guest:

• Allie Mellen, Principal Analyst @ Forrester, author of "Code War: How Nations Hack, Spy, and Shape the Digital Battlefield"

Topics:

• Your book focuses on the US, China, and Russia. When you were planning the book did you also want to cover players like Israel, Iran, and North Korea?
• Most of our listeners are migrating to or operating heavily in the cloud. As nations refine their "digital battlefield" strategies, does the "shared responsibility model" actually hold up against a nation-state actor?
• How does a company's detection strategy need to change when the adversary isn't a teenager looking for a ransom, but a state-funded group whose goal might be long-term persistence or subtle data manipulation? How should people allocate their resources to defending against both of these threats?
• How afraid are you of a "bad guy with AI" scenarios? Mild anxiety or apocalyptic fears?
• Do you see AI primarily helping "Tier 2" nations close the capability gap with the "Big Three," or does it just further cement the dominance of the nations that own the underlying compute and models?
• You've spent a lot of time as an analyst looking at how enterprises buy and run security tech. For a CISO at (say) mid-tier logistics company, should 'nation-state cyberattacks' even be on their threat model? Or is worrying about the spies just a form of security theater when they haven't even solved basic credential theft yet?

Resource:

• Video version
• "Code War: How Nations Hack, Spy, and Shape the Digital Battlefield" by Allie Mellen
• Allie Mellen substack
• The source for the original "air defense on the roof" argument (2008)
• EP255 Separating Hype from Hazard: The Truth About Autonomous AI Hacking
• EP256 Rewiring Democracy & Hacking Trust: Bruce Schneier on the AI Offense-Defense Balance
• EP156 Living Off the Land and Attacking Critical Infrastructure: Mandiant Incident Deep Dive
• "Disrupting the first reported AI-orchestrated cyber espionage campaign" report